A traffic manipulation and cryptocurrency mining campaign has infected more than 9,000 organizations in industries such as finance, education and government, amassing 40,000-plus machines.
A traffic manipulation and cryptocurrency mining campaign has infected more than 9,000 organizations in industries such as finance, education and government, amassing 40,000-plus machines.

A traffic manipulation and cryptocurrency mining campaign has infected more than 9,000 organizations in industries such as finance, education and government amassing 40,000-plus machines.

Guardicore Labs researchers spotted the campaign dubbed Operation Prowli targeting vulnerable platforms, including CMS servers, backup servers, DSL modems and IOT devices to mine cryptocurrency, promote fake websites and run tech support scams, according to a June 6 blog post.

The attackers use various attack techniques including exploits, password brute-forcing, and weak configurations to monetize their victim's machine. Researchers have tracked the campaign across several networks in different counties and noted the attackers using unfamiliar tools new to the Guardicore Reputation repository as well as other known datasets such as VirusTotal.

The attackers also used binaries with the same domain name hardcoded, with each of the binaries designed to attack different series and CPU architectures. Their malware uses binary named r2r2 is written in Golang in brute force attacks and uses multiple copies of the worm for different CPU architectures.

Over a three week period, researchers spotted dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations which led them, to investigate the attackers' infrastructure and the discovery of wide-ranging operation attacks against multiple services.

Threat actors store a collection of victim machines with IPs and domains that expose different services to the Internet which are either vulnerable to remote pre-authentication attacks or allow the attackers to brute force their way inside.

Targeted services include Drupal CMS websites, WordPress sites, DSL modems, servers with an open SSH port, vulnerable IoT devices, servers exposing HP Data Protector Software and more.

Researchers found that 67 percent of the services are distributed through SSH, 9 percent SMB, 8 percent WordPress, 7 percent phpMyAdmin, 6 percent other, and 3 percent Drupal.

The majority of compromised companies were consumer services, computer services, colleges and computer software

Attacks are based on a mix of known vulnerabilities and credential guessing so in addition to ensuring systems are patched and up to date, users should lock down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network in addition to strong passwords.

For users who can't patch their CMS software, researchers recommended users assume they will be hacked at some point and follow strict hardening guides to minimize damage.